Global networking of computers has greatly impacted business. As the number of computers linked to networks grows, businesses increasingly rely on networks to interact. More and more people use email, websites, various file transfer methods, and remote office applications, among others, to facilitate business transactions and perform job related tasks.
These applications and uses still rely on early network addressing technologies and flow control protocols to transmit data packets across networks. For example, the Internet Protocol (IP) is an addressing protocol for referencing remote devices on a network. The protocol is implemented to include a packet header that contains bits representing an address of the source, an address of the target, and various other parameters associated with the packet. The Address Resolution Protocol (ARP) is used to reconcile physical addresses on local segments of a network with IP addresses. Other protocols are used for flow control including TCP and UDP. These protocols may be used to control the flow of packets across a network including subdividing and reassembling the packets. TCP also includes methods for verifying the arrival of a packet. Other protocols include ICMP, IPX, SPX, NetBios, and ARP, among others. Historically, these protocols were designed for use on a trusted network and as such do not include many security features. To address this problem, newer protocols are designed to include some security measures. However, at present, the global Internet and many local area networks predominantly use older protocols with various vulnerabilities.
Hackers and malfeasants take advantage of the weaknesses in these protocols to disrupt, infiltrate, or destroy networked devices. These attacks include worms, viruses, denial-of-service, and infiltration attacks, among others. Worms are self-replicating programs that infect computers. In some cases, these worms take advantage of the trusting relationships between computers to infiltrate network and send network data to the attacker. Viruses infect files and utilize vulnerabilities of programs that interpret the files to propagate. A virus may also function to erase data. Denial-of-services (DoS) attacks often limit the network activity of a target computer by inundating the target with requests or messages. In one example, an attacking computer or set of computers may send a plethora of low level pings to the target device. If the pings include a non-existent return address, the target machine could send a response message and pause over a timeout period for a response. In attempting to respond to the pings, the machine effectively denies network access to other applications.
Infiltrating attacks often circumvent password security and gain access to files. Once the attacker has access, they may steal private information such as credit card or social security numbers. Moreover, they may damage valuable data, install a worm or spying program, or install programs to utilize computational capacity.
The FBI reports that millions of dollars are lost each year as a result of these attacks. In the “2002 Computer Crimes and Security Survey,” as much as 90% of the Fortune 2000 companies reported breaches in computer security. According to the survey, each successful attack cost corporations an average of $2.1 Million. The losses include lost data, employee time used in recovering data, delays in existing projects, and damage to equipment. Fifty five percent of the companies surveys reported denial-of-service attacks, 70% reported infiltration and vandalism attacks, and twelve percent reported theft of transaction information.
Hackers use various tools and methodologies to discover vulnerable devices and interact with them. These tools include address scanners, port scanners, worms, and packet formulation programs, among others. For example, a hacker may send reconnaissance packets to a local network segment in search of a computer or device. Once a device is found, the hacker may scan the ports on the device in search of a vulnerable port.
Several approaches exist for protection against hackers. Typically, these protections are defensive shield-like methods. The most common are firewalls, intrusion detection systems (IDS), and anti-virus software. Firewalls are devices typically placed as shields between a local network and the global network. Firewalls are the most common form of network protection. They perform their function by limiting communication between the local network and global network in accordance with various filters and rules. Typically, network traffic is either blocked or permitted based on rules regarding protocols, addressing, and port number. These filters are infrequently changed and can unintentionally encumber certain permissible network traffic while permitting unwanted traffic.
Intrusion detection systems detect intrusions or attacks and report these attacks to network security. The systems predominantly use packet signatures to evaluate network packets. However, these systems have been shown to be unreliable as they can generate false positive results. Often, the systems collapse under the weight of the data they collect. Further, these systems may not detect packets with signatures that are not found in their signature database, resulting in false negatives as well. Moreover, these systems often present the data to network security in a format that prevents timely response to threats.
Similarly, anti-virus software typically relies on file signatures to detect viruses. As such, frequent updates are required to maintain a current database of virus signatures. If an undocumented virus enters the network, the anti-virus software will likely fail.
Many network security systems suffer from deficiencies in detecting and preventing attacks on a network. Many other problems and disadvantages of the prior art will become apparent to one skilled in the art of networks security systems after comparing such prior art with the present invention as described herein.